Re: [PHP] Umm... Uh-oh

2002-10-04 Thread Marek Kilimajer
Use realpath() to check the path. I also suspect your script is vulnarable to cross-site includes (include('http://hacker.com/script.inc');) Rick Beckman wrote: Okay, I was mistaken... There is a gaping security hole in my simple li'l script... How do I modify it to only accept files from a

Re: [PHP] Umm... Uh-oh

2002-10-04 Thread John Wards
erm..would that alow hackers access? Say I have a database include file would hackers be able to get access to my database like this? (include('http://mysite.com/datainc.php');) I hope bloody not!!! if so how on earth do i get round that! John On Friday 04 Oct 2002 10:52 am, Marek

Re: [PHP] Umm... Uh-oh

2002-10-04 Thread Justin French
all my include files are *.inc, and I have a .htaccess file that makes apache refuse to serve those files directly thru http. Justin on 04/10/02 7:58 PM, John Wards ([EMAIL PROTECTED]) wrote: erm..would that alow hackers access? Say I have a database include file would hackers be able

Re: [PHP] Umm... Uh-oh

2002-10-04 Thread John Wards
so as my files are all .php I would be okay from an external hacking attempt? I don't have any worry about internal as I am on a dedicated server John On Friday 04 Oct 2002 11:02 am, Justin French wrote: all my include files are *.inc, and I have a .htaccess file that makes apache refuse to

Re: [PHP] Umm... Uh-oh

2002-10-04 Thread Marek Kilimajer
That would not help you if you include files based on unchecked user input. Justin French wrote: all my include files are *.inc, and I have a .htaccess file that makes apache refuse to serve those files directly thru http. Justin on 04/10/02 7:58 PM, John Wards ([EMAIL PROTECTED]) wrote:

Re: [PHP] Umm... Uh-oh

2002-10-04 Thread Stas Maximov
] To: PHP [EMAIL PROTECTED] Sent: Friday, October 04, 2002 10:58 AM Subject: Re: [PHP] Umm... Uh-oh erm..would that alow hackers access? Say I have a database include file would hackers be able to get access to my database like this? (include('http://mysite.com/datainc.php');) I hope bloody

Re: [PHP] Umm... Uh-oh

2002-10-04 Thread John Wards
, but NOT accessible via http. HTH, Stas - Original Message - From: John Wards [EMAIL PROTECTED] To: PHP [EMAIL PROTECTED] Sent: Friday, October 04, 2002 10:58 AM Subject: Re: [PHP] Umm... Uh-oh erm..would that alow hackers access? Say I have a database include file would hackers be able to get

RE: [PHP] Umm... Uh-oh

2002-10-04 Thread John W. Holmes
:[EMAIL PROTECTED]] Sent: Friday, October 04, 2002 6:14 AM To: Stas Maximov Cc: PHP General Subject: Re: [PHP] Umm... Uh-oh ah never thought of that! John On Friday 04 Oct 2002 11:14 am, Stas Maximov wrote: The easiest and safest way to get around this problem is to place all your